CVE-2025-2891

Name of the Vulnerable Software and Affected Versions Real Estate 7 WordPress theme versions up to, and including, 3.5.4

Description The Real Estate 7 WordPress theme is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible if front-end listing submission has been enabled.

Recommendations For versions up to, and including, 3.5.4, consider disabling the template-submit-listing.php file or restricting access to it until a patch is available. As a temporary workaround, restrict the ability to upload files to only trusted users to minimize the risk of exploitation. Avoid using the front-end listing submission feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.